Menu

The case of IE7 that would not run

Yesterday I met an interesting behavior of IE7. On one of my computer which runs Windows Server 2003 SP1 I was trying to publish a post to my blog (‘the power of IDA’). But I failed to do that. IE7 was crashing when I tried to write something in the editor. Moreover, IE7 does not correctly display my posts on the blog. Especially when I trying to put a screenshot into the post.

So, I decided to download the most popular version of IE7: for XP SP2 and install it on my second machine which runs XP2 SP2. I downloaded & installed IE from http://download.microsoft.com. I put the check under ‘install latest updates’ and … it still crashes.

Okey, I have a chance (at least) to figure out what’s wrong in IE. I made the following steps to reproduce the problem:

I took the url that causes problem and put it into the home page of IE. Then I restarted program, and … each time I run IE it gets crashed. Excellent, – I have a 100 % reproducible case. I put here screenshot of crash on the font of WinDbg – each time I restart the debugging session I get the message that IE crashed (it’s in russian):

Here is what I see in my WinDbg command window during each session I run the browser:

Seems like something wrong happens inside mscorwks library. I started debugging the code of mscorwks but then realized that a better way is to specify exception filter and analyze the call stack. I made a filter for C++ EH and CLR exceptions and restarted the debugger session. Exception occured, debugger hit and the last function I see in the stack is:

.text:79FE2BBE l_ThrowException: ; CODE XREF: sub_79FE2ABB+DDj

.text:79FE2BBE ; sub_79FE2ABB+E7j ...

.text:79FE2BBE 68 88 F1+ push offset unk_7A34F188

.text:79FE2BC3 8D 85 E0+ lea eax, [ebp-220h] ;

.text:79FE2BC9 50 push eax

.text:79FE2BCA 89 B5 E0+ mov [ebp-220h], esi

.text:79FE2BD0 E8 97 77+ call _CxxThrowException ;

As you can understand it thows exception because of some undefined state. But this is the result of a problem, however, I am interested in more details. Label l_ThrowException is invoked in several cases. Here is the code that calls it:

.text:79FE2B90 l_callUnregisterServer: ; CODE XREF: sub_79FE2ABB+AFj

.text:79FE2B90 FF 15 50+ call off_7A381250

.text:79FE2B96 85 C0 test eax, eax

.text:79FE2B98 74 24 jz short l_ThrowException

.text:79FE2B9A FF 15 50+ call off_7A381250

.text:79FE2BA0 85 C0 test eax, eax

.text:79FE2BA2 74 1A jz short l_ThrowException

.text:79FE2BA4 8D 8D E0+ lea ecx, [ebp-220h]

.text:79FE2BAA 81 E9 00+ sub ecx, 0C000h

.text:79FE2BB0 3B 88 EC+ cmp ecx, [eax+1ECh]

.text:79FE2BB6 73 06 jnb short l_ThrowException

.text:79FE2BB8 50 push eax

.text:79FE2BB9 E8 00 C3+ call sub_79FEEEBE

After deeper analyzing I realized that this code detects the type of exception. Step by step I started moving to the upper level. Exception raising code is invoked here:

The loc_79FE2B54 seems to be interesting, because it checks for some flag in sub_79E744CF and if flag is zero it calls l_callUnregisterServer, however, if the flag is non-zero the following code is executed:

Disclamer: These posting and software on this blog are provided "AS IS" with no warranties, and confers no rights.
This web-blog is maintained on my free time, and has nothing to do with my current employer.